Monday, December 08, 2008

Trojan Horse Warrant?

Maybe you saw the stories that were getting a fair amount of play a couple of days ago . . . the ones about the European Union’s new five-year plan to target cybercrime?

According to the press release and some other information I found, the plan encompasses conducting “remote searches” of computers.


Neither the press release or anything else I can find online explains what, precisely, these “remote searches” would involve. At least one person speculated that it might consist of remotely installing keystroke loggers . . . an updated version of the perhaps apocryphal FBI “Magic Lantern” program. “Magic Lantern” was alternately described as a keystroke logger program or a Trojan horse program.

A couple of years ago the German police were using a Trojan horse program – the Federal Trojan – to conduct remote surveillance of computers. That program seems to have targeted terrorists, in particular, . . . but it ended when the German courts held that the practice violated the law.

I don’t know WHAT the EU’s “remote searches” initiative will involve. It might involve the use of keystroke loggers or Trojan horse programs . . . or it might simply involve the kind of searches the FBI is conducting courtesy of P2P file-sharing software. I also don’t really know how EU/European law would deal with the permissibility of conducting remote searches of either type, i.e., logger, Trojan or P2P.

Since I don’t know what the EU initiative will consist of, or how EU law will deal with it, I decided to do a post analyzing how the first two kinds of remote searches – the use of keystroke loggers and Trojan horse programs – might work under US law. I’m not going to talk about the P2P option because, as I’ve written before, law enforcement’s using P2P software to access files you have opened up for file-sharing is not a “search” under our 4th Amendment. Since it isn’t a search, it doesn’t require that law enforcement obtain a warrant or otherwise comply with the 4th Amendment in conducting such an investigation.

Installing a keystroke logger or a Trojan horse program on someone’s computer without their knowledge or consent (no P2P software or anything analogous) definitely would be a search under the 4th Amendment. As I tell my students, courts treat computers – more precisely, computer hard drives – as a closed container, and we have a 4th Amendment expectation of privacy in closed containers.

So to install either a logger or a Trojan horse program, law enforcement would have to comply with the requirements of the 4th Amendment by obtaining a search warrant, or, to be more precise, a search and seizure warrant. Search warrants authorize officers to go to a particular place and search for particular evidence; they also authorize the officers to seize that evidence if and when they find it. To be a valid, a search (and seizure) warrant must be based on probable cause (to believe evidence of a particular crime will be found) and must “particularly describe” the place to be searched and the item(s) to be seized.

So for a search (and seizure) warrant to remotely install a keystroke logger or a Trojan horse program, officers would have to show probable cause to believe that particular evidence will be found on the computer on which the program is to be installed. For the sake of analysis, we’ll assume that wouldn’t be a problem. The warrant would also have to “particularly describe” the place to be search, which is the computer on which the program is to be installed. So the warrant application, and the warrant, would have to include details that specifically identified the target computer. The description of the item(s) to be seized would probably take the form of describing the type of evidence that is being sought . . . evidence of child pornography, or terrorism, or fraud or whatever crime(s) the officers are investigating.

About ten years ago, federal agents got a search warrant to install a keystroke logger on a computer being used by Nicodemus Scarfo, who was suspected of loansharking and illegal gambling. Actually, the agents got a couple of warrants because they did not install the logger program remotely; instead, they made a surreptitious entry into his office and manually installed the program. The program was used, successfully, to obtain the key – the passphrase – for an encrypted file the agents knew was on the computer. (You can find a summary of the facts in the opinion you can read here.)

In this case, then, the use of the logger program to search for and seize the evidence was novel, but the process by which the program was installed was not so novel. The agents simply entered the office, accessed the computer and installed the program; entering the office was clearly a search (because you have a reasonable expectation of privacy in your office), as, I assume, was installing and using the logger program (we also have a 4th Amendment expectation of privacy in the keystrokes we type on our computer, at least when we’re using the computer in a private place, like our private office).

As I explained in an earlier post, I believe using the logger was both a search and a seizure, because it seized information about the keystrokes. But the search (and seizure) warrant authorizing the use of the logger program authorized the seizure of the keystrokes, so I think it covered all the bases there.


Now let’s analyze the process of remotely installing a logger program or a Trojan horse program for the purpose of searching a suspect’s computer. I see this as presenting several novel issues, one of which goes to the process of installing the program.

I think that one won’t prove particularly difficult to deal with. The USA Patriot Act authorized the use of surreptitious searches (something like the keystroke logger installation in the case above) to obtain information. The searches are called “sneak and peek” searches and the warrants authorizing them are called “sneak and peek” (S&P) warrants. The practice of issuing S&P warrants arose prior to the Patriot Act, but it formally brought them into federal law.

When S&P searches began being conducted, they were charges on two bases: Unlike traditional searches and seizures pursuant to a warrant, they are conducted in secret; the whole point (as in the Scarfo case) is not to let the suspect know officers have been in his/her/their property looking for evidence. Traditional searches and seizures are conducted in public; the owner(s) of the property are often present when they are conducted, and they are given a copy of the warrant and an inventory of what was taken.

None of that is true for S&P searches. Courts upheld S&P searches even though they differ markedly from the kinds of searches the 4th Amendment deals with because they found that these searches comport with constitutional requirements as long as they are conducted pursuant to, and in accordance with, a valid search warrant. So I think the process of installing a logger or Trojan horse program for the purpose of conducting a remote search of a computer could be justified under this same rationale; it would be necessary to include in the warrant a specification of how long the remote search could continue, but otherwise the basic S&P procedure would probably work here, as well.

Describing the place to be searched should not, as I noted earlier, be a particular problem, nor should describing the evidence to be seized. I think, as I just noted, that specifying a particular time frame for the conduct of the search would be an essential element of satisfying this aspect of the 4th Amendment . . . because otherwise officers could install a program and let it sit on a computer indefinitely, perhaps gathering evidence of crimes neither they nor the suspect had contemplated when the original warrant was issued. I think the temporal dimension would be critical to satisfying 4th Amendment requirements here.

The warrant would have to authorize the seizure of evidence, once found, but that, again, should not be a particular problem. The logger/Trojan program would have to be configured so that it only captured data within the scope of the warrant (though it that were impracticable, and if the data capture went beyond the scope of the warrant, that could presumably be dealt with by simply not letting the government use that evidence for any purpose).

As long as the searching and seizing is being conducted automatically, i.e., by the program instead of by a human being, the “plain view” doctrine would not apply. As I’ve noted before, that’s a principle that expands the scope of a legitimate 4th Amendment search. If an officer has a search warrant to search my house for stolen jewels and sees a bag of cocaine (all this is hypothetical) on my coffee table, the officer’s looking at the bag of cocaine is not a search (because he has the right to be where he is) and if looking at it gives him probable cause to believe it’s evidence of a crime, he can seize it. I don’t see how the plain view doctrine can apply to the extent that the remote searches we’re hypothesizing would be conducted by a program, not a person operating the program.

Finally, the use of these programs could not be lawfully conducted with only a search warrant if they in any way intercepted communications coming into or being sent from the computer being searched. Intercepting communications constitutes a wiretap, and wiretaps require a special authorization – a Title III order.

That became an issue in the Scarfo case because the computer had a modem and, as we all know, keystrokes are used to send emails and other communications. The government convinced the judge that the logger program used in the Scarfo case was configured so it shut off when the modem was active, so that overcame the Title III issue. That issue, though, would have to be addressed in future cases involving the use of logger or Trojan horse programs; if the government wanted to obtain communications as well as static data, they would have to get both a search warrant and a Title III order.


There’s another huge issue, which I’ve written about before: The use of remote searches directed at computers that are outside the territorial boundaries of the United States. I'll take that up in another post.

No comments: